b'                          U.S.    ELECTION ASSISTANCE COMMISSION \n\n                                     OFFICE OF INSPECTOR GENERAL \n\n                                  1225 New York Ave. NW - Suite 1100 \n\n                                        Washington, DC 20005 \n\n\n\n\n                                                                           September 28, 2007\n\n\n\nMemorandum\n\nTo:             Thomas Wilkey\n                Executive Director\n\nFrom:           Curtis Crider    ~           fAJ\xc2\xb7\n                Inspector General\n\nSubject:        Non Compliance with the Federal Information Security Management Act\n                by the U.S. Election Assistance Commission\n                (Assignment No. I-EV -EAC-03-07)\n\n        The EAC has made improvements in the information security area, but additional\nactions are needed to bring the EAC into compliance with the Federal Information\nSecurity Management Act (FISMA) and Office of Management and Budget (OMB)\nguidelines.\n\n        FISMA (Section 3544) requires the Head of each Federal agency to provide\n"information security protections commensurate with the risk and magnitude of the harm\nresulting from unauthorized access, use, disclosure, disruption, modification, or\ndestruction of -\xc2\xad\n\n(i) information collected or maintained by or on behalf of the agency; and\n\n(ii) information systems used or operated by an agency or by a contractor of an agency or\nother organization on behalf of an agency."\n\n       EAC is a small Federal agency; it has an annual operating budget of\napproximately $16 million and has 38 employees and contractors. More importantly, it\ndoes not own or operate any information technology (IT) systems. The EAC uses a\nFederal service provider, the General Services Administration (GSA) for its information\ntechnology needs. Thus, we believe, the impact of its non compliance is minor.\nNonetheless, the Office of Management and Budget (OMB) advised l in its fiscal year\n2007 reporting requirements that the EAC and GSA have a shared responsibility for\nFISMA compliance.\n\n\n\n\n1 See OMB Memorandum M-07-19, FY 2007 Reporting Instructions/or the Federal Information Security\nManagement Act, dated July 25,2007.\n\x0cDISCUSSION\n\nCongress authorized the EAC with the passage of the Help America Vote Act (HA VA) in\nOctober 2002. According to HA V A, the duties of EAC are to "serve as a national\nclearinghouse and resource for the compilation of information and review of procedures\nwith respect to the administration of Federal Elections ...." EAC\'s first full year of\noperation was fiscal year 2004.\n\n        The General Services Administration (GSA) provides administrative support and\nrelated IT services for personnel management, payroll, and financial management to EAC\nunder three reimbursable agreements. GSA also furnishes IT support by maintaining\nEAC\'s Local Area Network and electronic mail. EAC\'s website is operated by an\nindependent contractor.\n\n       EAC has not yet established policies and procedures for information security or\nprivacy management.\n\n\nRECOMMENDATIONS\n\nWe recommend that the Executive Director:\n\n   1. \t Establish and implement policies and procedures for information security and\n        privacy management.\n\n   2. \t Comply with the applicable provisions of FISMA and OMB implementing\n        guidance.\n\nAGENCY COMMENTS\n\nThe EAC recently entered into two key contracts with third parties to comply with\nprocedural requirements. First, the EAC contracted with firm to create a Continuity of\nOperations Plan (COOP), which is required by National Security Presidential Directive\n51. The EAC anticipates receiving a COOP from the contractor on or before December\n31, 2007. In addition to the COOP, the EAC entered into a contract with another firm to\nassist in (1) creating policies and procedures for processing Freedom of Information\nrequests, (2) giving public notice of meetings pursuant to the Government in the Sunshine\nAct, (3) publishing a policy concerning records under the Privacy Act, (4) creating a\ncommon rule for grants, and (5) creating Touhy regulations. The EAC anticipates\nreceiving a completed project from the firm on or before April 30, 2008. EAC has\nworked with the Office of Personnel and Management to identify an individual to assist\nin the development of agency policies and procedures including those identified in the\nrecommendations of this report. It is anticipated that the contractor will begin work\nshortly after the beginning of the fiscal year.\n\n\n\n\n                                            2\n\n\x0cRESPONSE TO MEMORANDUM\n\n       Please provide a response to this memorandum by November 3,2007. Your reply\nshould indicate whether you agree or disagree with the recommendations and, if\napplicable, include a plan of action for implementing the recommendations. The plan\nshould include target dates and the name of the official responsible for implementing the\nrecommendations\n\n        The legislation creating the Office of Inspector General requires that we report to\nthe Congress semiannually on all reports issued, actions taken to implement our\nrecommendations, and recommendations that have not been implemented. Therefore,\nthis report will be included in the next semiannual report.\n\n\n\n\n                                             3\n\n\x0c'